Lucene search

GoogleOSV:GHSA-MVF6-HWXH-7V76

HistoryMar 18, 2024 - 9:30 a.m.

Information leakage in YAQL

2024-03-1809:30:30

Google

osv.dev

information leakage

yaql

murano

muranopl

environment

sensitive information

software

7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.8%

JSON

YAQL before 3.0.0 is used in Murano, the Murano service’s MuranoPL extension to the YAQL language fails to sanitize the supplied environment, leading to potential leakage of sensitive service account information.

CPENameOperatorVersion
yaqleq1.0.2
yaqleq0.2.2
yaqleq0.2.5
yaqleq1.1.3
yaqleq1.1.1
yaqleq1.0.0b2
yaqleq1.0.0.0rc1
yaqleq0.2.4
yaqleq1.1.0
yaqleq0.2.6

Name	Operator	Version
yaql	eq	1.0.2
yaql	eq	0.2.2
yaql	eq	0.2.5
yaql	eq	1.1.3
yaql	eq	1.1.1
yaql	eq	1.0.0b2
yaql	eq	1.0.0.0rc1
yaql	eq	0.2.4
yaql	eq	1.1.0
yaql	eq	0.2.6

Rows per page:

1-10 of 251

References

bugs.launchpad.net/murano/+bug/2048114

launchpad.net/bugs/2048114

nvd.nist.gov/vuln/detail/CVE-2024-29156

opendev.org/openstack/murano/tags

opendev.org/openstack/yaql/commit/83e28324e1a0ce3970dd854393d2431123a909d3

wiki.openstack.org/wiki/OSSN/OSSN-0093